Avoiding perils of BYOD

Personal devices appealing but risky
By Sarah Dobson
|Canadian HR Reporter|Last Updated: 10/09/2012

A few years back, Intel realized many of its tech-savvy employees were keen to use their own personal devices for work. Instead of fighting the trend, the company embraced it.

“It’s really about making sure that we stay ahead of it and work to be inclusive of these disruptions, rather than try to hold the dogs at bay,” says Elaine Mah, director at Intel Canada in Toronto.

“Thinking about the newer-generation workforce, they’re incredibly creative and some can be quite tenacious and the last thing you want is your paranoia for security and control to be so rigid that you don’t look at what’s happening behind you and you have employees that are creating security breaches you’re not even aware of.”

The consumerization of IT — or bring-your-own-device (BYOD) movement — is really about choice for the end user, along with overall changes in technology, she says.

“This is really about employees being more engaged in defining how they work.”

But is the rise in BYOD being met accordingly? Although 69 per cent of companies permit some form of BYOD, an equal amount of firms — 70 per cent — have no policy to manage the practice, according to a 2012 survey of 504 respondents by IDC Canada.

And while 26 per cent of those with no policy plan to have one in place within one year, 44 per cent said they have no plans to enact one at all.

“Some employers have been turning a blind eye to employees accessing corporate networks through personal smartphones and are sometimes surprised to learn how pervasive that practice has become,” says Christine Ing, a lawyer specializing in IT law at Gowlings in Toronto.

“Where the demand is obvious, employers are well-advised to carefully think through the issues and develop an appropriate policy.”

What to include in a BYOD policy

There are several issues to address when it comes to BYOD, particularly around security, confidentiality and privacy.

The process should start with determining which devices will be included in the BYOD program, who will be entitled to participate, how many devices each participant can have, what the approval process will be, what support the organization will provide and financial aspects, says Ing.

“It is important for the organization to keep an up-to-date inventory of participating devices. From a legal perspective, it is important that the organization know who is in possession and control of business information and where that information resides. There are document retention considerations here, as well as e-discovery-related concerns.”

When it comes to security and privacy considerations, the goal is to avoid data leakage, she says, so employers need to look at user authentication processes and data encryption protocols to protect business information stored on or transmitted to and from the devices.

“The organization’s IT function will also need to consider what controls or restrictions are appropriate in relation to apps used by the employee for business purposes,” says Ing.

Employers also need to know what “clouds” their business information resides in and whether there are reasonable and appropriate security safeguards, taking into consideration the nature of the stored information and the organization’s legal obligations — whether under statute or pursuant to its contractual obligations, says Ing.

“The fact that ownership of the device resides with the employee should not change this.”

Mandatory, annual training has helped reinforce Intel’s rules around BYOD, says Mah, citing the company’s chief information security officer.

“He has a philosophy that the people are the perimeter, that it doesn’t matter what kind of hardware you purchase or approve, it doesn’t matter what kind of software you install or purchase and implement — at the end of the day, it’s the individual that can be your most volatile tripwire as far as security goes.”

The big concern tends to be more around safeguarding corporate data and making sure people aren’t undertaking risky activity that’s going to result in a leakage, says Michael Argast, Vancouver-based director of Telus security solutions for Western Canada.

Typically employers say, “If it’s on our network but you’re connecting with your personal device, then the same rules apply as to a computer on our network,” he says.

Workers often have to sign agreements that clearly define the boundaries, such as employer monitoring, says Argast.

“It’s more about the organization really defining what’s permitted or not permitted.”

Privacy concerns

There are also numerous implications to work through when it comes to employee privacy and legal rights, says Mah. If a device has personal and private data, it’s about creating distinctions, knowing the boundaries of what is enforceable by corporate policy.

“That kind of governance was certainly a challenge for an organization on a scale like Intel,” she says (the company has 100,000 employees, with about 200 in Canada). “It’s really about first defining a privacy framework for the device and being able to have a way to, ideally… partition the personal from the professional, but coming up with the right tool or solution that is appropriate.”

It’s about balancing an employee’s expectation of privacy against an organization’s legitimate need to manage and control its business information, says Ing, adding the HR, IT and legal functions are all stakeholders.

“There is case law that recognizes an employee’s reasonable expectation of privacy, even with respect to personal information stored on an employer-owned PC,” she says. “An employee’s reasonable expectation of privacy may even be higher with respect to personal information stored on his or her personally owned device.”

An organization needs to be very clear through its policies and practices about why it may monitor employee device usage and what it might do with the information it collects, says Ing. One issue that’s particularly challenging relates to the practice of IT “remote wiping” data when an employer-owned device is lost or stolen.

“At a minimum, an organization’s BYOD policy should make it clear that loss of personal information, whether in the context of remote wiping or in connection with any monitoring, support or other activities of the organization, is a possibility,” says Ing, adding employees could sign waivers to consent to the wiping activities and release the employer from any liability arising from such activities.

There needs to be some agreement with employees in terms of loading software onto the devices and there are also implications around the timing, says Argast, citing a case in the United States where a worker who was let go had his device wiped and then brought a lawsuit against the firm, saying he lost valuable personal information related to a business plan.

“There’s things around the end-user agreement which aren’t typically covered in standard IT policies at an organization, especially because this is actually a personal device rather than a work-provided device,” he says.

Privacy may also be an issue when data on the device passes through monitoring software as part of normal operations, says Argast.

For example, one government employer in Canada wanted to be able to message users in the case of an emergency, but this software would show where each employee was at any given point.

“This mobile capability management software does have, in many cases, those sorts of capabilities and there are privacy concerns.”

Add Comment

  • *
  • *
  • *
  • *